Win32/Monitor.Netmon.A - help!!

One of my friend has just installed NOD32. He had AVG before. He did a scan and NOD found the following:
"application Win32/Monitor.Netmon.A found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file C:\Program Files\Network Monitor\netmon.exe"

How could he get out of this threat? Is it dangerous? Is there any other option besides scanning in Safe Mode?

 

RELAX!!

The application is NOT dangerous at all. It's a Microsoft Network Monitor used to capture network traffic. As you can see by the nature of the description this 'COULD' be classified as a potentially unwanted application. It's detected by NOD32's 'Potentiall Dangerous Applications' option. Uncheck this to remove detection for this type of application.

To remove the program (lets not call it a threat) use the Add/Remove Programs option in the Windows control panel.

 

i_kenefick sorry to contradict you. Indeed it's not so dangerous, but that file shouldn't be there in Program Files. So it's a threat, not a part of MS.

Anyway, my friend deleted it manually than scanned again and the system is clean now.

Additionally NOD32 found many other viruse that AVG didn't even heard about.

 

It IS a Microsoft Program. It's default directory is %WINDIR%\Program Files so um yeah it should be there since someone installed it. Just because it didn't come with the OS doesn't mean it's shouldn't be there. For it to exist there in the first place means someone actually needed it sometimes (or thought they did) and installed it. You are not contradicting me... you are just incorrect.

Now you have lots of unwanted registry junk and dll's. All you had to do was uninstall from the Control Panel This is a good example of how to break windows OS and make it unstable. What if this program had added contextual menu or worse added something to the Winsock LSP chain? Your friends Windows installation would be in a big mess. Deleting .exe's is fine for malware [it's not like Malware comes with an addition to add/remove programs ]- but for genuine installations then it should be removed using an uninstaller which contacins info like the files added during the install and registry entries which can safely be removed.

The important thing to remember with files detected as 'applications' by NOD32 or any other AV for that matter. If the uninstaller exists use it otherwise you will have a lot of files and entries leftover after simply deleting the executable.

No disrespect to free av solution but this is no surprise

 

Relax, The netmon.exe file is Riskware, part of Microsoft's Network Monitor as noted above. You could have uninstalled it, but NOD32 deletes the reg keys in the 'RUN' category anyway, so you are safe enough. Yet, you should try to uninstall it the proper way in order to ensure proper functioning of Windows.

 

ok, Firecat, thx for the reply

But strange I don't have that file on my computer...

 

You probably haven't installed the application. You need to capture packets and analyse their contents? Are you debugging software which transmits data over a network? If you don't then you probably don't need this applciation anyways. Similar products are Ethereal and Commview.

 

no, I'm not doing none of these. And not my friend does...

 

I also noticed that netmon.exe is also added as part of the MIMAIL.M worm. But if this was the case, NOD32 should have already detected files infected by MIMAIL, or perhaps netmon.exe is a leftover.

Just to be 100% sure, you should check for the registry entries of Mimail.M and delete them if you find any.

Description of MIMAIL.M: http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.m@mm.html
http://vil.mcafeesecurity.com/vil/content/v_100856.htm

 

I think this is the solution Firecat. My friend has no ideea of using Network Monitor, he has just installed Windows 2 days ago and then he entered some crack websites. (he was using AVG , and he installed NOD32 only today)

He did another full scan with NOD32 and he found nothing.
Thx for the info

 

NETMON.exe with respect to Mimail is actually a MIMAIL component. If it was MIMAIL it would be detected as MIMAIL. In this case it's definately NOT MIMAIL.